> I want to start by pointing out I use two-factor authentication just about everywhere and Facebook is not an exception.
I wish he'd mention what kind of 2FA. The reason you _really_ should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on accounts.google.com.totallylegit.ru and then have them enter it on real accounts.google.com. This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on attacker.com will not pass victim.com's verification checks, whereas a code from your authentication app is trivially copied.
What you're describing here isn't exclusive to hardware tokens and nothing preventing software from checking the domain using TOTP.
How? TOTP does not embed the domain, as it is generated on a separate device which does not communicate with your browser, and does not know the target domain. TOTP is literally HMAC(shared-secret, time-interval) mapped to a short range (e.g. mod 10^6).
> it is generated on a separate device which does not communicate with your browser, and does not know the target domain.
No, not always and many password manager solutions do integrate with your browser and know the domain for the password.
Then that's not TOTP https://datatracker.ietf.org/doc/html/rfc6238 but something different. Do you know how it is called and which products support it? I'd love to read up about it!